--- title: System Specifications product: vercel url: /docs/sandbox/system-specifications canonical_url: "https://vercel.com/docs/sandbox/system-specifications" last_updated: 2018-10-20 type: conceptual prerequisites: - /docs/sandbox related: - /docs/sandbox/concepts/firewall summary: Detailed specifications for the Vercel Sandbox environment. install_vercel_plugin: npx plugins add vercel/vercel-plugin --- # System Specifications Vercel Sandbox provides a secure, isolated environment for running your code. This page details the runtime environments, available packages, and system configuration. ## Runtimes Sandbox includes `node26`, `node24`, `node22`, and `python3.13` images. In all of these images: - User code is executed as the `vercel-sandbox` user. - The default working directory is `/vercel/sandbox`. - `sudo` access is available. | | Runtime | Package managers | | ------------ | ------------------------- | ---------------- | | `node26` | `/vercel/runtimes/node26` | `npm`, `pnpm` | | `node24` | `/vercel/runtimes/node24` | `npm`, `pnpm` | | `node22` | `/vercel/runtimes/node22` | `npm`, `pnpm` | | `python3.13` | `/vercel/runtimes/python` | `pip`, `uv` | `node24` is the default runtime if the `runtime` property is not specified. ### Available packages The base system is Amazon Linux 2023 with the following additional packages: - `bind-utils` - `bzip2` - `findutils` - `git` - `gzip` - `iputils` - `libicu` - `libjpeg` - `libpng` - `ncurses-libs` - `openssl` - `openssl-libs` - `procps` - `tar` - `unzip` - `which` - `whois` - `zstd` You can install additional packages using `dnf`. See [How to install system packages in Vercel Sandbox](/kb/guide/how-to-install-system-packages-in-vercel-sandbox) for examples. You can find the [list of available packages](https://docs.aws.amazon.com/linux/al2023/release-notes/all-packages-AL2023.7.html) on the Amazon Linux documentation. ### Proxy CA certificates Vercel Sandbox mounts a unique, per-sandbox certificate authority (CA) certificate for the sandbox proxy in these locations: - `/etc/pki/ca-trust/source/anchors/vercel-proxy-ca.pem` - `/usr/local/share/ca-certificates/vercel-proxy-ca.pem` Vercel Sandbox adds the proxy CA certificate to the system trust bundle automatically. Applications that use the system trust store do not need extra configuration. The following environment variables are also set so common tools and runtimes use the system CA bundle at `/etc/ssl/certs/ca-certificates.crt`: ```text AWS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt CARGO_HTTP_CAINFO=/etc/ssl/certs/ca-certificates.crt CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt GRPC_DEFAULT_SSL_ROOTS_FILE_PATH=/etc/ssl/certs/ca-certificates.crt NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt NODE_USE_SYSTEM_CA=1 NPM_CONFIG_CAFILE=/etc/ssl/certs/ca-certificates.crt PIP_CERT=/etc/ssl/certs/ca-certificates.crt REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt ``` If your application does not use the system trust store and these environment variables, configure it to trust one of the mounted `vercel-proxy-ca.pem` files. This is required for HTTPS traffic that the [sandbox firewall](/docs/sandbox/concepts/firewall) terminates for transformation rules. ### Sudo config The sandbox sudo configuration is designed to be straightforward: - `HOME` is set to `/root`. Commands executed with sudo will source root's configuration files (e.g. `.gitconfig`, `.bashrc`, etc). - `PATH` is left unchanged. Local or project-specific binaries will still be available when running with elevated privileges. - The executed command inherits all other environment variables that were set. --- [View full sitemap](/docs/sitemap)